RADIUS server – Packet Tracer

ArticlesBlog

Written by:


How’re we doing, everyone? It’s John again. I’m gonna go quick video on AAA, which is Authentication, Authorization and Accounting. In this video I’m going to do a short video, and configure a RADIUS server. So let’s start. As you can see, the basic topology is quite simple, we’ve got 2 routers here, and a Server up here. They’re all in the same network. The addresses are 192.168.1.1, 192.168 1.2, and 192.168 1.3 at the top, so let’s kick off, and just check did we actually have connectivity between the devices, so ping 192.168.1.2, that’s fine, and let’s ping the server. That’s also fine. So the first thing that we want to do is go to the actual server and configure the AAA. So we’ll go up to services, AAA, service is on, and what we want to do is configure the client name. Now, the way this is going to work, is we’re going to configure R1 to use the RADIUS server, so R2 is going to SSH in, and R1 is going to essentially authenticate with the server, which will deliver back the credentials, and allow access. So when we’re configuring the client name, we’re going to be using R1 and R1’s client IP address which is 192.168.1.1. The “secret”. The secret is essentially the password. That needs to match on both the server and the router that’s a way that both devices can authenticate with one another, so we’ll do that. The password, the secret password, we’ll use something simple like “cisco”. Server type: we can use RADIUS or TACACS+. In this demonstration I’m going to be doing RADIUS, so let’s do that, and add. Now, the username…I suppose at this point I should kinda make a bit of a point on why on why you would use a radius server. In a small topology like this, it really isn’t worth it to do it, but for the sake of demonstration, I’m keeping it simple, but if you had to imagine you were in a large company whereby you had lots and lots of users with usernames and passwords combinations, and lots of devices, if you had to go into every single router, and type in every single username and password combination, it would take a long time plus, there’s also an issue with scalability. If you start adding in routers, you need to go in locally, and configure and all the username and passwords for every single new router. Whereas if you use AAA all you need to do is tell the new router to use the RADIUS server and that’s that it. It’s way, way simpler. So let’s start off and add in some usernames. So we’ll just keep it simple, we’ll do “John” and the password we’ll do “John1”, uhh, “David” David, opps type that right, “David1”, uhh, “Mark” “Mark1”. Okay, that’s enough. Really you’d add a lot, lot more than this, but for the sake of demonstration, let’s just keep it at 3. Okay so that’s configured. Let’s close this down, now you want to go into the actual device which will use the server, which is R1, in this case. So. Maximize that. The first thing that you want to do is do a new model, that basically tells the router to use the server. Okay, a word of warning here. Good practice when you’re configuring a RADIUS or TACACS+ server, is to also configure a local account, in case that the server goes down, and you’re not locked out of the actual device. So as a backup, we’ll do a username and we’ll just call it “backup” for simplicity, and we’ll do… the password will be a secret password, and we’ll just do “backup1”. Keep the same kinda format, “backup1”. Okay! So that’s the backup. That will not actually be used, or actually be accessible when the RADIUS server is up. It will actually be denied if you try to put in these credentials when the server is actually available! However, should the server go down the router will be configured to fall back, and use these credentials, so you actually can get back in without having to do a password recovery, so let’s kick on. “AAA authentication” – and there’s two kinds of authentication we can do here. We can do it for “logging in”, which is your basic – just accessing the router, and for your…you know the “enable secret” type thing? Enable secret password. You can do it for the login and the enable password, so let’s do it for both, and we’ll do “login” and we’ll use the “default” group, and we’re gonna use a “radius” server, and then use “local”. Now, the actual order which you take these in is actually very important. Essentially because I’ve wrote “radius” first, then “local” second, that basically specifies the order of operations. It basically specifies that the…the router will look to use the RADIUS server first…*and should that not be available*… it will fall back to the local! So don’t do “local radius”! Do “radius local”! Okay, and likewise, that was for the “login” let us know do it for the “enable” password. So we’ll do the same thing, “authentication”, and we’ll do “enable”, use “default group”, and, again, you want to use “radius” first, and fall back to the “local”, if it’s not available. Now! Now that that’s configured, what we also need to do is essentially tell the router where to look for the RADIUS server, so we’ll use, uhh, we’ll do “radius-server host”, and the IP address of the server is 192.168.1.3. And the “key”, if you remember, I believe we configured that as “cisco”. So let’s go into that. Yep! the key here, that needs to match on both the server and the router. So “cisco” is what we’re going to use here. So “key cisco”, and that should be that! Now what we’re going to do is configure it for SSH only – and not telnet – so let’s do an “ip domain-name” and we’ll just keep it simple “cisco.com”…and we’ll do “ip ssh version 2”. And we’ll do a “crypto key generate” and we’ll generate some “RSA” keys. For 1024 bits! Okay and we’ll go into the actual “line vty 0 4”, and we’ll “transport input ssh”, that essentially tells the the router to use SSH – and disallow telnet – if we did the reverse and did “telnet” that would disallow SSH, but that’s what we do not want! We want to actually use SSH! So “transport input ssh”. Now here’s the important part! Very often when you’re using SSH, you might say “login local” and tell the router to use the local database. That’s NOT what we want to do! What we want to do is do “login authentication” and it’s the “default” we used, if you remember? If you just skip up here we use “login” and use the “default”, so that’s what we want to do here! So “login authentication default”. Not “login local”! Okay, that’s that, and “ctrl C” and that should be it configured. So let’s test it now. So the first thing that I want to do is do “ssh login”… and we’re going to actually try the *backup* password, remember what I said to fall back on? *This should not actually be accessible just now*. So we’ll do “backup” and we’ll use version 2 of SSH, and we’ll put the IP address in of the target, which is “192.168.1.1”. Password, again, this should not allow us access if I’ve configured this correctly. “Invalid”. “Invalid” Good! Now the ones which *should* work, are the ones which we configured on the server. which would be “david”, “john”, and whatever the other one was, so let’s keep it simple, and we’ll do “ssh -l”, we’ll login with “john”, were using the “version 2” and “192.168.1.1”, and the password we used was “john1”. A now we’ve got access! Similarly, when we go to do the “enable”, we’ll also be prompted for the username and password again. So we’ll do “enable” Username: j o h n. “john1”. Now we have access! “Show run”. And now we’re in to the actual…we’ve SSH’d in. Now, just one final point before I finish this video. What I’m going to do is show you what happens when the RADIUS server is not accessible, and *suddenly the local database will be accessible*. So let’s go into the switch, and I’ll just shut down the port which connects to the server. “enable”. “conf t”. I think it was “fa0/3”? And we’ll just shut that down. Yup, okay! So that’s now inaccessible. So. If I go… we’ll exit that out, and I go and I use “ssh login”…and we try the “backup” now. Version 2. And we’ll put the IP address “192.168.1.1” And we’ll try that and we’ll do “backup1”. Take a wee while to test it. It will actually check. It will see that the server is down…and then fall back…and hopefully login. That’s what I hope anyway! Yeah, see if its took its time! Essentially it was trying to authenticate with the server, it could see that the server was inaccessible, and then fell back to the default of the local database. So essentially that is a short video on how to configure AAA, and how to configure a RADIUS server. The next one I’ll do will probably be a TACACS one, and it’s pretty much the exact same process. You just change “tacacs” for “radius”. So yeah! That’s the end of the video and I’ll see you guys soon. Bye.

4 Replies to “RADIUS server – Packet Tracer”

  1. Joel Muhong says:

    GREAT AND INTERESTING VIDEO

  2. Levirre says:

    ty man this definitely helped me learning AAA

  3. Pierre Abrie says:

    Thanks Boet. Appreciated

  4. zoltron30 says:

    very nice….

Leave a Reply

Your email address will not be published. Required fields are marked *